Fresh From the Oven: OCR-HHS Issues a Notice of Proposed Rulemaking for the HIPAA Security Rule

‘Tis the season for holiday baking and the elves at the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), have been diligently crafting their own holiday treat. On December 27, 2024, HHS OCR issued a new proposed rule to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (Proposed Rule) for the first time since 2013 (the original rule was published in 2003).¹ The Proposed Rule would require health plans, health care clearinghouses, most health care providers, and business associates to strengthen cybersecurity protections for electronic protected health information (ePHI). For some time, HHS OCR has been anticipating a Security Rule update this year. Clearly, they did not want to release a half-baked Proposed Rule, but still managed to meet their goal at the end of 2024.

A Hunger for Better Protections

The Proposed Rule was a critical action referenced in HHS’ Healthcare Sector Cybersecurity Concept Paper and supports the strategic objectives set forth in the 2023 National Cybersecurity Strategy issued by the Biden-Harris Administration. HHS Deputy Secretary Andrea Palm explained that a key driver for the Proposed Rule was to address evolving cybersecurity incidents², noting:

“[T]he increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety. These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.”

Despite our attempts at festive flair in this update, statistics cited by OCR illustrating the need for the Proposed Rule are decidedly un-merry. For example, in the last five years, reports of large breaches increased by 102%, and the number of individuals affected by such breaches increased by 1002%. OCR noted that these increases are caused primarily by hacking and ransomware attacks. Further, in 2023, over 167 million individuals were affected by large breaches—a new record. In addition to changes in breach trends and cyberattacks, OCR highlighted significant changes in technology and how health care operates since the introduction of the Security Rule, a recognition of the health care sector’s importance to the economic and security interests of the U.S., and problems resulting from a patchwork quilt of state regulation as rationales for the Proposed Rule. In sum, the table was well-set for HHS OCR to embark on an update to the Security Rule.

The Ingredients

The nearly 400-page notice is jam-packed with specifics to strengthen the Security Rule standards and implementation specifications. We summarize key requirements of the Proposed Rule below:

• Removing the distinction between “required” and “addressable” implementation specifications and making all implementation specifications required with specific, limited exceptions.
• Recall, HHS distinguished between “required” and “addressable” implementation specifications in 2003 to provide regulated entities with flexibility in approach. Based on OCR’s enforcement experience, HHS believes that regulated entities have interpreted “addressable” as optional, leading regulated entities to not adopt implementation specifications when it would be reasonable and appropriate to do so. The move to “required” would eliminate this problem and create a clear expectation for regulated entities.
• Requiring written documentation of all Security Rule policies, procedures, plans and analyses.
• Updating definitions and revising implementation specifications to reflect changes in technology and terminology.
• A number of key defined terms will be revised. For example, the definition of “access” will be clarified to be more representative of how a user could interact with information to, among other changes, add the activities of “deleting” and “transmitting.”
• Adding specific compliance time periods for many existing requirements.
• Requiring the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
• Requiring greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
• A review of the technology asset inventory and network map.
• Identification of all reasonably anticipated threats to the confidentiality, integrity and availability of ePHI.
• Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
• An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
• Requiring notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
• Strengthening requirements for contingency planning and responding to security incidents. For example, regulated entities would be required to:
• Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
• Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
• Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
• Implement written procedures for testing and revising written security incident response plans.
• Requiring regulated entities to conduct a compliance audit at least once every 12 months to ensure compliance with Security Rule requirements.
• Requiring that business associates verify at least once every 12 months for covered entities (and that subcontractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
• Requiring encryption of ePHI at rest and in transit, with limited exceptions.
• Requiring regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
• Deploying anti-malware protection.
• Removing extraneous software from relevant electronic information systems.
• Disabling network ports in accordance with the regulated entity’s risk analysis.
• Requiring the use of multi-factor authentication, with limited exceptions.
• A new definition of “multi-factor authentication” is proposed. Regulated entities would be required to use this proposed definition when implementing the Proposed Rule’s requirements for authentication of user identity through verification of at least two of three categories of the following categories:
• Information known by the user, including but not limited to a password or personal identification number (PIN).
• Item possessed by the user, including but not limited to a token or a smart identification card.
• Personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.
• Requiring vulnerability scanning at least every six months and penetration testing at least once every 12 months.
• Requiring network segmentation.
• Requiring separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
• Requiring regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
• Requiring business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
• Requiring group health plans to include in their plan documents requirements for their group health plan sponsors to:
• Comply with the administrative, physical and technical safeguards of the Security Rule;
• Ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical and technical safeguards of the Security Rule; and
• Notify the group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

Despite significant revisions to the regulations, OCR commented that it does not believe that the changes will substantially modify most of a regulated entity’s obligations under the existing Security Rule or pose implementation challenges. Rather, according to HHS OCR, the proposed changes will simply “explicitly codify those activities that are critical to protecting the security of ePHI as requirements and provide greater detail for such requirements. . . .”³

OCR offered the proposed requirement mandating encryption of ePHI at rest and in transit (with limited exceptions) to illustrate the impact that the Proposed Rule will have on industry. Under the current Security Rule standard, encryption of ePHI is an addressable implementation specification such that a regulated entity must assess whether encryption is a reasonable and appropriate safeguard in its environment. From OCR’s perspective, undertaking this analysis should have resulted in regulated entities implementing mechanisms to encrypt ePHI in most instances already. As such, OCR believes the move to mandatory encryption will simply obviate the need for regulated entities to perform an analysis of whether encryption is reasonable and appropriate and add little additional burden. Despite this overarching position, of note, the Proposed Rule includes an extended transition period beyond the general 180 day compliance deadline provided for in 45 CFR 160.105 for requirements applicable to business associate agreements and other written arrangements (and OCR is considering a similar extension for plan documents) if certain conditions are met to alleviate administrative burden for regulated entities. The extended transition period should help industry swallow the significant revisions in the Proposed Rule if finalized.

Also of note, the Proposed Rule is consistent with the HHS Healthcare and Public Health critical infrastructure sector Cybersecurity Performance Goals (CPGs). The CPGs are voluntary goals created by HHS to help health care stakeholders prioritize implementation of strategies to mitigate cybersecurity risk. Those familiar with the CPGs will see the same flavors echoed in the Proposed Rule.

Food for Thought and A Recipe for Response

We remind readers that this is a proposed rule and is not final. To best position your enterprise for compliance with a final rule, regulated entities should:

• Digest the content of the Proposed Rule. A glass of milk is optional. Now is the time to review the content of the Proposed Rule and supply feedback for the development of the final rule. Interested parties may submit public comments within 60 days of publication.
• Evaluate Your Position. While not final, we expect that the majority of changes in the Proposed Rule will be adopted. As such, conducting an initial high-level assessment of any gaps in your existing compliance profile should the rule become final is prudent, including to identify potential impacts on budget and resources. Engage key stakeholders, including technology, legal and compliance personnel in this assessment.
• Policy and Technical Updates. These are not easy as pie to complete, and security safeguard compliance – particularly those as prescriptive as these – are often black and white (or oil and water) when it comes to compliance audits. Thus, key stakeholders should not wait for the effective date of a final rule to begin planning for implementation.
• Focus on Vendor Diligence. Like vanilla in a cookie, it is explicitly clear that vendor diligence is required for a HIPAA compliance program. Building strong vendor diligence standards and ongoing monitoring into your organization’s compliance program can take some time. We recommend you start strengthening your process in advance of a final rule.
• Consider HIPAA in a Larger Context. HIPAA regulated entities that are already subject to state comprehensive privacy laws may find that several of the explicit requirements in the Proposed Rule follow expectations under state law (and certainly international standards). For example, IT systems with ePHI can be added to existing data maps. If the Proposed Rule is adopted with little modification, HIPAA will become one of the more prescriptive regulatory standards – a significant shift from the current flexibility and scalability framework.
• Continue to Comply with the Existing Security Rule Requirements. While the HHS OCR is undertaking this rulemaking, the current Security Rule remains in effect.
• Watch for State Actions. Remember that states are empowered to enforce HIPAA at the state level. Some states are quite active in this space. Prepare for state regulators to look to the Proposed Rule to inform state-level investigations even before a final rule is implemented.
• Watch for IT Vendor Service Offerings. A clear winner with the Proposed Rule is the IT industry. We will undoubtedly see new and existing vendors begin to tailor service offerings to these new standards. Be careful to select strong, reputable IT partners as your organization explores options. Remember, there is no “HIPAA certified” vendor.

How the Cookie Crumbles

We will continue to monitor developments of the Proposed Rule and will be there to update you when this cookie crumbles, i.e., the final rule is issued. You can stay up to date on progress with our Health & Life Sciences HIPAA, Information Technology, Privacy & Security email list. For questions about this update or inquiries related to HIPAA compliance generally or health care privacy specifically, please contact your Quarles attorney or:

• Simone Colgan Dunlap: (602) 229-5510 / simone.colgandunlap@quarles.com
• Dan Guggenheim: (619) 822-1474 / dan.guggenheim@quarles.com
• Meghan O’Connor: (414) 277-5423 / meghan.oconnor@quarles.com

END NOTES

---

¹The current version of the Proposed Rule is unpublished. It is scheduled to be published on January 6, 2025.

²Press Release, Office of Civil Rights, HIPAA Security Rule NPRM, (Dec. 27, 2024), available here. 

³Unpublished HIPAA Security Rule to Strength the Cybersecurity of Electronic Protected Health Information, (proposed December 27, 2024) (to be codified at 45 CFR Parts 160 and 164), page 11, available here.